We've got passwords for pretty much everything online these days, but how secure are they? Our latest insight piece will arm you will everything you need to create the perfect password.
Passwords are the keys to a website, and most commonly the biggest attack vector for cyber criminals or people wishing to steal your data.
The ‘human element’ of security is the hardest to predict and prevent because it relies solely on the education of users. So, hopefully this article can help you understand the risks and methods people use to gain access to websites.
A 2016 study showed that the passwords ‘123456’ and ‘password’ are still the most commonly used passwords (that are recovered from data breaches), and while companies like Microsoft and Facebook have tried to educate users, the trend of easily guessable passwords never seems to end.
Most attackers looking to breach a website use a method called ‘brute forcing’. ‘Brute forcing’ is the means of constantly submitting different passwords from a dictionary of entries (by using some form of automated tool), with the hope of ‘guessing’ the password. In most cases they can execute many submission attempts per second and open up many synchronous requests.
This will allow us, in most cases, to prevent these attacks. However, this is becoming increasingly easier to circumnavigate by using services such as TOR (The Onion Router), or through the use of VPN connections which allow you to rotate IP addresses easily by making the end point of your connection a server or relay node rather than the actual IP of your device.
All of these methods do not help if your password is just a commonly used word or phrase or pattern. A password such as ‘123456’ or ‘password’ would be cracked instantly (on the average desktop PC), while ‘azxsdcvf’ would take 52 seconds, with ‘zaqwsxcde’ taking 22 minutes.*
The solution to this is to strengthen your password by picking words, numbers, phrases, and symbols. A password such as ‘po10t1@l!’ (potential) would take 6 days to crack, while ‘sayingflocklord’ (the last words of paragraphs in the book of Leviticus (bible) would take 435 million years, and adding symbols such as ‘saying@flock!lord£’ would make this time increase to 41 sextillion years.
Minimum 8 characters in length
Contains 3/4 of the following items:
The internet has become a prominent source for everyone’s personal information with the introduction of services such as social networking websites. This has convinced us to publish more personal information about ourselves than ever. Other than brute forcing the second biggest method of breaching a user account, is to use a technique called social engineering.
Social engineering, is the psychological manipulation of people, in the hope of getting them to perform actions or divulge confidential information. This could involve searching your social network information or googling your bio on a website, to gain information about you such as your dog’s name to aid in guessing your password, or finding out your email address so they can sending you a phishing email telling you to change your password and instead just collecting it. (This could be an entire topic on it’s own and probably will be in a future article)
My strongest advice would be to invest in a password manager (some are free), such as Lastpass, Dashlane, Keeper, Logmeinonce. These allow you to only have to remember one really good password, and will in most cases randomly generate you a very strong password for all remaining sites that need a password. So how do you remember that really strong password for your password manager of choice? I would strongly recommend against writing it down and putting it under your keyboard, however I’ve seen people use methods such as remembering a sequence of pages in a book or lyrics in a song and using the words and letters from the sequence.
Password managers should always be doubled with some form of 2 factor authentication, such as email/text/mobile application random generated code. 2 factor authentication allows you to assign an extra method of authentication other than just a password. These usually come in the method of getting a randomly generated code from a mobile app or from a SMS message to your phone. The nature of this also eliminates password threats because it means you need to have access to a physical device of the user to get the code, or the password is useless.
* Note all cracking time estimates come from the free service https://howsecureismypassword.net/